b'Memorandum from the Office of the Inspector General\n\n\n\nJuly 31, 2007\n\nE. Wayne Robertson, SP 5A-C\n\nREQUEST FOR FINAL ACTION \xe2\x80\x93 AUDIT 2007-008T \xe2\x80\x93 PRIVACY PROTECTION \xe2\x80\x93\nTVA USE OF INFORMATION IN IDENTIFIABLE FORM\n\n\n\nAttached is the subject final report for your review and final action. Your written\ncomments, which addressed your management decision and actions planned or taken,\nhave been included in the report. Please notify us when final action is complete.\n\nIf you have any questions, please contact Sylvia J. Whitehouse, Senior Auditor, at\n(865) 632-2640 or Jill M. Matthews, Director, Information Technology Audits, at\n(865) 632-4730. We appreciate the courtesy and cooperation received from your staff\nduring the audit.\n\n\n\n\nBen R. Wagner\nDeputy Inspector General\nET 3C-K\n\nSJW:SDB\nAttachment\ncc (Attachment):\n      Steven A. Anderson, SP 5A-C\n      R. Clay Eckles, CTR 1P-M\n      Frank A. Foster, OCP 2C-NST\n      Nicholas P. Goschy, Jr., WT 6A-K\n      Tom D. Kilgore, WT 7B-K\n      John E. Long, Jr., WT 7B-K\n      Stacie A. Martin, MP 3C-C\n      Janice W. McAllister, EB 7A-C\n      Richard W. Moore, ET 4C-K\n      Mary E. Ragland, EB 5B-C\n      Edward C. Ricklefs, EB 5B-C\n      Emily J. Reynolds, OCP 1L-NST\n      OIG File No. 2007-008T\n\x0cOffice of the Inspector General   Audit Report\n                                   To the Vice President,\n                                   Information Services\n\n\n\n\nPRIVACY PROTECTION -\nTVA\'S USE OF INFORMATION\nIN IDENTIFIABLE FORM\n\n\n\n\nAudit Team                                  Audit 2007-008T\nSylvia J. Whitehouse                           July 31, 2007\nSarah E. Huffman\n\x0cOffice of the Inspector General                                                                 Audit Report\n\n\n\n\nTABLE OF CONTENTS\nEXECUTIVE SUMMARY.......................................................................... i\n\nBACKGROUND ......................................................................................... 1\n\nOBJECTIVES, SCOPE, AND METHODOLOGY ............................... 1\n\nFINDINGS ................................................................................................... 2\n\n   PRIVACY REPORT COMPLETENESS..................................................... 3\n\n   CONSISTENCY WITH FEDERAL REQUIREMENTS ............................... 4\n\n   PRIVACY PROGRAM EFFECTIVENESS ................................................. 4\n\n   CONSISTENCY OF PRACTICES WITH PROCEDURES ......................... 5\n\nRECOMMENDATIONS ........................................................................... 6\n\n\nAPPENDIX\nMEMORANDUM DATED JULY 30, 2007, FROM E. WAYNE ROBERTSON\nTO BEN R. WAGNER\n\n\n\n\nAudit 2007-008T\n\x0cOffice of the Inspector General                                                                  Audit Report\n\n\nEXECUTIVE SUMMARY\nAs part of our annual audit plan, we performed an audit of the Tennessee\nValley Authority (TVA) privacy program, policies, procedures governing use\nof information in identifiable form (IIF),i and privacy protection practices.\nThe audit objectives were to determine if TVA\'s (1) Information Services\nPrivacy Program Summary Report (Privacy Summary Report) on privacy\npolicies and procedures and use of IIF was accurate and complete,\n(2) policies and procedures were consistent with federal privacy requirements,\n(3) privacy program was designed effectively to accomplish its objectives, and\n(4) privacy-related practices complied with policies and procedures.\n\nWe identified three areas where TVA\'s Privacy Summary Report to the Office\nof the Inspector General (OIG) needed improvement. In addition, we found:\n\nx       TVA\'s privacy policies and procedures were generally consistent with\n        federal requirements. However, we noted five areas where we believe\n        additional guidance is needed. We further noted TVA is in the process\n        of updating its privacy policies and procedures.\nx       While TVA has made progress in implementing privacy program\n        components, a focused effort is needed to strengthen the program in\n        the following two areas: (1) complete implementation of planned privacy\n        assessments of all systemsii identified with IIF, and (2) ensure privacy\n        activities are better integrated between TVA groups who have privacy\n        responsibilities.\nx       TVA needs to improve its privacy practices through (1) reviews and\n        updates of Privacy Act Systems of Recordsiii notices and\n        (2) implementation of best practices on systems with IIF.\n\nAt the end of our fieldwork on March 8, 2007, our review had not identified\nany significant IIF compromises reported to the OIG for the two-year period\nending December 6, 2006, and no instances of criminal or civil liability\nrelating to loss of personal information were reported by the Office of the\nGeneral Counsel (OGC). On March 20, 2007, we issued a draft report to\nmanagement for comment. During the comment period, an issue came to\nour attention regarding placement of IIF or other sensitive information on\ntemporary share drives. As a result, we withdrew the original draft report\nuntil we could perform an audit to determine the extent of exposure of IIF.\n\n\ni\n      Information in identifiable form (IIF) \xe2\x80\x93 Defined as any representation of information that permits the\n      identity of an individual to whom the information applies to be reasonably inferred by either direct or\n      indirect means, consistent with Public Law 107\xe2\x80\x93347, the E-Government Act of 2002.\nii\n      The term "systems" as used in this report includes major applications, minor applications, and\n      general support systems.\niii\n      The term "Systems of Records" as used in this report refers to Privacy Act defined Systems of\n      Records and includes all forms of records, not just records contained in information technology\n      systems.\nAudit 2007-008T                                                                                         Page i\n\x0cOffice of the Inspector General                                    Audit Report\n\n\nAudit 2007-10997, Review of Temporary Shares for Sensitive Information,\nidentified 32 incidents of IIF on temporary shares which were not properly\nsecured and could have been accessed by anyone with a TVA network\naccount. As noted in the report, we could not determine if the IIF had been\ninappropriately accessed since there is no usage tracking available for\ntemporary shares. Weaknesses in any privacy program can lead to potential\nlegal liabilities and reputation damage.\n\nWe recommend the Senior Vice President, Information Services, take actions\nto improve TVA\'s privacy program and address the identified weaknesses.\nRecommendations for Audit 2007-10997 are included in that report.\n\nTVA management agreed with our recommendations and proposed actions\nto implement program improvements (see the Appendix for the complete\nresponse). TVA management plans to complete corrective actions by the\nend of fiscal year 2007, except for recommendation 7, which is scheduled for\ncompletion at the end of fiscal year 2008. We concur with TVA\nmanagement\xe2\x80\x99s proposed actions.\n\n\n\n\nAudit 2007-008T                                                          Page ii\n\x0cOffice of the Inspector General                                                                Audit Report\n\n\nBACKGROUND\nThe Consolidated Appropriations Act of 2005 (the Act) was enacted in\nDecember 2004. Along with changing Tennessee Valley Authority (TVA)\nmanagement structure, the Act contained a provision regarding privacy\nprotection. Specifically, \xc2\xa7522 of the Act required (1) a Chief Privacy Officer\nbe designated to assume primary responsibility for privacy and data\nprotection policy; (2) comprehensive privacy and data protection procedures\nbe established and implemented; (3) the agency to report to the Inspector\nGeneral on its use of information in identifiable form (IIF)1 and its privacy and\ndata protection policies and procedures; and (4) an independent review of\nthe agency\'s use of IIF at least every two years.\n\nWhile the applicability of \xc2\xa7522 of the Act to TVA is not clear, TVA actions\nconsistent with the Act and guidance issued by the Office of Management\nand Budget (OMB) included (1) naming the Information Services (IS) Senior\nVice President as TVA\'s Senior Agency Official for Privacy (SAOP) in\nOctober 2005 and (2) submitting a IS Privacy Program Summary Report\n(Privacy Summary Report) to the Inspector General in September 2006. The\nOffice of the Inspector General (OIG) conducted this audit as the\nindependent review of TVA\'s use of IIF.\n\nTVA\'s SAOP is responsible for agency-wide information privacy issues and\nprotections and for ensuring compliance with applicable federal laws,\nregulations, and policies. TVA has information in identifiable form from\nemployees, retirees, contractors, business partners, and the public.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\nThis audit, which was included in our annual audit plan, evaluated TVA\'s\nuse of IIF relating to TVA employees and the public and determined the:\n\na. Extent to which the Privacy Summary Report is accurate and accounts for\n   TVA\'s current technologies, information processing, and all areas\n   consistent with the Act;\nb. Consistency of TVA\'s privacy policies and procedures with applicable\n   laws and regulations;\nc. Effectiveness of TVA\'s privacy program and data protection procedures\n   governing the collection, use, sharing, disclosure, transfer, and security\n   of IIF; and\n\n\n1\n    Information in identifiable form (IIF) \xe2\x80\x93 Defined as any representation of information that permits the\n    identity of an individual to whom the information applies to be reasonably inferred by either direct or\n    indirect means, consistent with Public Law 107\xe2\x80\x93347, the E-Government Act of 2002.\n\nAudit 2007-008T                                                                                     Page 1\n\x0cOffice of the Inspector General                                       Audit Report\n\n\nd. Compliance of actual privacy and data collection practices with TVA\'s\n   privacy procedures.\n\nIn order to meet audit objectives, we completed the following fieldwork during\nJanuary and February 2007:\n\nx   Compared TVA privacy policies and procedures with federal privacy\n    requirements from the Privacy Act of 1974, privacy provisions of the\n    E-Government Act of 2002, and OMB implementing guides;\nx   Discussed privacy-related activities with staff members in several TVA\n    groups, including IS IT Security, IS Document and Records Management,\n    Communications, Procurement, the Office of the General Counsel (OGC),\n    and the OIG;\nx   Evaluated TVA privacy-related reports and privacy program management\n    practices;\nx   Reviewed TVA public and internal Web sites for privacy-related\n    information;\nx   Reviewed the IS listing of privacy policies and procedures for\n    completeness and to identify specific measures for privacy protection;\nx   Reviewed OIG investigative records to identify complaints concerning\n    loss of personal information;\nx   Evaluated records management practices for compliance with federal\n    privacy requirements;\nx   Compared the IS baseline of significant systems with IIF to the systems\n    inventory to determine whether additional systems warrant inclusion for\n    protecting IIF;\nx   Reviewed privacy protection practices and identified privacy statements\n    for a sample of systems with IIF to identify best practices in place at TVA;\n    and\nx   Identified use of continuous auditing in significant systems with IIF and\n    methods used to mitigate risks of inadvertent release of IIF from TVA\n    Web sites.\n\nWe conducted this audit in accordance with generally accepted Government\nAuditing Standards.\n\n\nFINDINGS\nIn summary, we determined:\n\nx   TVA\'s Privacy Summary Report to the OIG needed improvement in\n    three areas.\nAudit 2007-008T                                                            Page 2\n\x0cOffice of the Inspector General                                                             Audit Report\n\n\nx     TVA\'s privacy policies and procedures were generally consistent with\n      federal requirements. However, we noted: (1) five areas where we\n      believe further guidance is needed, and (2) TVA is in the process of\n      updating its privacy policies and procedures.\nx     While TVA has made progress in implementing privacy program\n      components, a focused effort is needed to strengthen the program in\n      the following two areas: (1) complete implementation of planned privacy\n      assessments of all systems2 identified with IIF, and (2) ensure privacy\n      activities are better integrated between TVA groups who have privacy\n      responsibilities.\nx     TVA needs to improve its privacy practices through (1) reviews and\n      updates of Systems of Records3 notices and (2) implementation of best\n      practices on systems with IIF.\n\nAt the completion of our fieldwork on March 8, 2007, our review indicated\nthere were no significant IIF compromises reported to the OIG for the two-\nyear period ending December 6, 2006, and no instances of criminal or civil\nliability relating to loss of personal information were reported by the OGC.\nHowever, as discussed further below, an issue came to our attention\nsubsequent to our review indicating IIF was available on temporary share\ndrives to anyone with a TVA network account. Weaknesses in a privacy\nprogram could result in compromise of private information, which may lead\nto potential legal liabilities and reputation damage.\n\nPRIVACY REPORT COMPLETENESS\nIn the September 2006 Privacy Summary Report to the OIG, IS provided a\nlist of 60 privacy and data protection policies and procedures. In a separate\ndocument, IS identified 50 significant systems with IIF making up the TVA\nbaseline. The Privacy Summary Report could be improved by including:\n\nx     Four areas related to privacy protection policies and procedures that\n      were not included in the Summary Report: oversight by the IT Security\n      Executive Committee, Acceptable Use Requirements for the TVA\n      Corporate Network, the new IS procedure on Privacy Impact\n      Assessments, and TVA\'s Systems of Records.\nx     Three systems related to electronic deposits, personnel records, and\n      contractor personnel that IS confirmed contained IIF but were not\n\n\n\n2\n    The term \xe2\x80\x9csystems\xe2\x80\x9d as used in this report includes major applications, minor applications, and\n    general support systems.\n3\n    The term "Systems of Records" as used in this report refers to Privacy Act defined Systems of\n    Records and includes all forms of records, not just records contained in information technology\n    systems.\n\nAudit 2007-008T                                                                                      Page 3\n\x0cOffice of the Inspector General                                      Audit Report\n\n\n    considered in developing the system baseline. During our audit, IS\n    agreed to include the three systems in plans for privacy assessments.\nx   Current technologies to be used in protecting or transmitting IIF. Projects\n    to implement encryption on desktops and servers and access controls\n    using smart card technology were either in progress or in planning stages.\n\nCONSISTENCY WITH FEDERAL REQUIREMENTS\n\nTVA and IS privacy and data protection policies and procedures that we\nevaluated were consistent with the majority of federal requirements.\nHowever, we believe further or more explicit guidance, based on Privacy Act\nrequirements and OMB guidelines, is needed in the following areas:\n(1) identifying contracts subject to privacy requirements; (2) requiring machine-\nreadable privacy policies on contractor-hosted Web sites; (3) maintaining the\nminimal information about individuals necessary to accomplish agency\npurposes; (4) prohibited disclosure practices, such as selling or renting names\nand addresses; and (5) processes for notifying individuals of pending releases.\nIS reported revisions were being reviewed to incorporate privacy components\nin two TVA-wide policies and three procedures.\n\nPRIVACY PROGRAM EFFECTIVENESS\n\nWhile TVA has made progress in implementing privacy program\ncomponents, a focused effort is needed to strengthen the program in the\nfollowing two areas: (1) completion of all planned privacy assessments of\nsystems with IIF and (2) better integration between TVA groups who have\nprivacy responsibilities.\n\nSince naming TVA\'s SAOP, IS has made progress in implementing planned\nprivacy program components. Notable accomplishments include\nimplementing privacy training as part of TVA\'s annual required security\nawareness and training program, establishing methodologies for identifying\nand assessing systems with IIF, and initiating security categorizations of\ninformation systems. IS completed TVA\'s first privacy assessment in\nSeptember 2006. Continued progress is needed to ensure TVA\'s privacy\nprogram completes the implementation necessary for achieving optimal\nsystems protections. More specifically, completing privacy assessments\nof systems with IIF will be required for TVA to identify best practices and\nimplement the measures necessary to adequately protect such systems and\nthe data they contain. During our audit, we were provided a tentative schedule\nfor completing the assessments of 53 systems during fiscal year 2007.\n\nAlthough we found some coordination between groups handling TVA\'s\nprivacy responsibilities, that coordination needs to be improved. Activities\nrelated to privacy protection and compliance with privacy requirements\ninclude: managing and safeguarding information systems; records\nAudit 2007-008T                                                           Page 4\n\x0cOffice of the Inspector General                                       Audit Report\n\n\nmanagement; exemptions to releases of information under the Freedom of\nInformation Act; contracting actions; training all personnel; handling and\ntracking legal actions; and investigating privacy-related allegations such\nas identity theft. These functions are managed in different TVA groups,\nincluding IS Architecture, Planning, & Compliance; Communications;\nHuman Resources; Procurement; TVA Police; Nuclear Security; the OGC;\nand the OIG. However, we did not find privacy-related responsibilities clearly\ndocumented for all areas, and an integrated view of TVA privacy efforts\ndescribing the relationships between the groups performing privacy\nprotection functions did not exist. An effective privacy program will also\nclearly communicate responsibilities of security officers, systems owners,\nrecords liaisons, and all personnel to help ensure systems are adequately\nprotected and compliance is consistently met over time.\n\nWe reviewed allegations reported to the OIG in the last two years and\nidentified no significant IIF compromises as of December 6, 2006.\nIn addition, we determined no instances of criminal or civil liability relating\nto loss of personal information were reported by the OGC. However,\nsubsequent to our draft report dated March 20, 2007, an issue came to our\nattention regarding placement of IIF or other sensitive information on\ntemporary share drives. We withdrew the draft report pending an audit of\nthis issue to determine the extent of exposure. Audit 2007-10997, Review\nof Temporary Shares for Sensitive Information, identified 32 incidents of IIF\non temporary shares which were not properly secured and could have been\naccessed by anyone with a TVA network account. As noted in that report,\nwe could not determine if the IIF had been inappropriately accessed since\nthere is no usage tracking available for temporary shares.\n\nCONSISTENCY OF PRACTICES WITH PROCEDURES\nTVA needs to improve the consistency of privacy practices with procedures\nthrough (1) reviews and updates of Systems of Records notices and\n(2) implementation of best practices on systems with IIF. We found\nIS submitted required reports on privacy, matching programs, and altered\nSystems of Records. In addition, we identified practices in place for\nprotecting sensitive printed and electronic documents, including documents\ncontaining IIF, submitted for processing in TVA\'s file management system.\nAlthough we did not perform an in-depth review of these practices, we found\nno significant concerns relating to document management in TVA\xe2\x80\x99s file\nmanagement system.\n\nWe found IS had not updated the Systems of Records notices since 1999,\nalthough a revision in routine uses was published in 2003. We further found\nIS had not conducted reviews of TVA Systems of Records notices to ensure\ntheir accuracy or reviews of routine use disclosures and exemptions\n\n\nAudit 2007-008T                                                            Page 5\n\x0cOffice of the Inspector General                                                          Audit Report\n\n\nconsistent with OMB guidance.4 We believe as a best practice such reviews\nshould be conducted periodically, and the systems notices should be\nupdated. We did not attempt to determine whether any new or revised\nSystems of Records are required for TVA information systems because\nIS\' planned assessments will include this determination.\n\nBased on our review of systems best practices, we determined additional\nmeasures may be warranted on internal systems accessible to general TVA\nusers. All tested systems containing IIF restricted user access, but other\nprotection measures were not consistently in place. Approximately one-half\nof the systems we tested provided a privacy notice when either general or\nprivileged users logged on to the system. Although we found no specific\nrequirement for posting privacy notices in internal systems, implementation\nis generally a low-cost solution to help remind users the system contains\nprivate information and requires special protection. Other protection\nmeasures, including monitoring transactions, reviewing activity logs, and\ncontinuous auditing techniques, were present in some systems but not widely\nused. None of the tested systems had implemented encryption technologies,\nalthough we noted TVA\'s encryption project is in progress.\n\n\nRECOMMENDATIONS\nWe recommend the Senior Vice President (SVP), IS, consider the following\nprogram improvements:\n\n1. Ensure future privacy reports to the OIG include all privacy protection\n   policies and procedures and current technologies to be used in protecting\n   or transmitting IIF.\n2. Complete revisions of policies and procedures, including addressing\n   areas identified in this report and clearly identifying privacy-related\n   responsibilities.\n3. Complete all planned privacy assessments of systems with IIF.\n4. Enhance integration of privacy compliance and protection efforts managed\n   among TVA groups to ensure activities are adequately coordinated.\n5. Update TVA\'s Systems of Records to include revisions and ensure\n   descriptions are accurate.\n6. Conduct and document periodic reviews of TVA\'s Systems of Records.\n\n\n\n4\n    Appendix I to OMB Circular A-130, Federal Agency Responsibilities for Maintaining Records About\n    Individuals, states Systems of Records should be reviewed every two years to ensure accuracy, and\n    reviews of routine use disclosures and exemptions should take place every four years to ensure\n    reported uses are compatible with agency purposes and exemptions are still needed.\n\nAudit 2007-008T                                                                               Page 6\n\x0cOffice of the Inspector General                                     Audit Report\n\n\n7. Implement privacy notices on all internal systems with IIF accessible to\n   general users from the TVA corporate network and consider\n   implementing other measures as appropriate to protect systems with IIF.\nRecommendations for Audit 2007-10997 are included in that report.\n\nManagement\xe2\x80\x99s Response \xe2\x80\x93 The SVP, IS, agreed with our\nrecommendations and proposed actions to implement program\nimprovements (see the Appendix for the complete response). IS plans to\ncomplete corrective actions by the end of fiscal year 2007, except for\nrecommendation number 7, which is scheduled for completion at the end of\nfiscal year 2008.\n\nAuditor\xe2\x80\x99s Response \xe2\x80\x93 We concur with TVA management\xe2\x80\x99s proposed\nactions.\n\n\n\n\nAudit 2007-008T                                                          Page 7\n\x0cAPPENDIX\nPage 1 of 2\n\x0cAPPENDIX\nPage 2 of 2\n\x0c'